Last updated 23 May 2011. Created on 18 June 2008.
Edited by alpha2zee. Log in to edit this page.

...from the htmLawed module handbook

The values filled in the Config. form-fields of the htmLawed configuration form are key-value pairs which are interpreted as array elements. Code, like what is shown below, in the htmLawed.module file uses the PHP eval function for this purpose. Here $setting['config'] is a Config. form-field value like 'safe'=>1, 'elements'=>'a, em, strong'.

eval('$config = array('. $setting['config']. ');');

Drupal administrators who are PHP developers may thus be able to exploit this logic to further refine the htmLawed filtering settings. For example, filling in the Config. form-field for use with comments with a value like the following will exclusively let user with ID 'jdoe' use the 'img' tag when posting comments.

$config = array('safe'=>1, 'elements'=>'a, em, strong');
global $user;
if($user->uid && $user->uid == 'jdoe'){
  $config['elements'] .= ', img';
$config = ($config

...from the htmLawed module handbook

Looking for support? Visit the forums, or join #drupal-support in IRC.


cosmicdreams’s picture

This page could benefit drupal administrators by relating specific configurations to concepts they already understand like the Filtered HTML and Full HTML input filters. While the default configuration handles the case of Filtered HTML sufficiently, the case of the Full HTML input filter can be addressed by referencing this link:

That page explains that if you simply exclude any definition of allowed elements in the config of htmlLawed, it will use the "default" set of allowed elements. That default set is defined as the following:

a, abbr, acronym, address, applet, area, b, bdo, big, blockquote, br, button, caption, center, cite, code, col, colgroup, dd, del, dfn, dir, div, dl, dt, em, embed, fieldset, font, form, h1, h2, h3, h4, h5, h6, hr, i, iframe, img, input, ins, isindex, kbd, label, legend, li, map, menu, noscript, object, ol, optgroup, option, p, param, pre, q, rb, rbc, rp, rt, rtc, ruby, s, samp, script, select, small, span, strike, strong, sub, sup, table, tbody, td, textarea, tfoot, th, thead, tr, tt, u, ul, var 

It also says that by keeping the key/value pair 'safe'=>1, htmlLawed will exclude following elements from that list:

applet, embed, iframe, object and script

So if you want to allow those you'll have to alter that setting as well. Which is a nice segway to...

You can define your config as a subtractive (start with the complete set of elements and define which elements to disallow) set of elements or an additive (start with the empty set add things to it) set. For example, this should be perfectly legal config statement:

'safe'=>1, 'elements'=>'* -center -dir -font -isindex -menu -s -strike -u +script', 'deny_attribute'=>'id, style'

The config above defines is another way to define default set of elements listed in the large code block above excluding the "unsafe" elements. Here we see that:

  • "*" is used to include the full set of html elements,
  • each tag name that follows a "-" is excluded from the set
  • each tag name that follows a "+" is included into the set

It sounds like spec can also be used to disallow elements but it seems more prudent to me to be as descriptive as possible in your config so that you don't need to re-explain your intentions through a secondary configuration stage like spec.

alpha2zee’s picture

The 'Spec.' field is helpful to restrict attributes and attribute-values for specific elements. E.g., it can be used to allow the 'title' attribute in 'a' when it is globally disallowed through 'deny_attribute' in 'Config.'; to restrict 'href' values to specific domains, etc.

'Spec.' cannot be used to restrict elements. For more uses of 'Spec.', refer to the htmLawed documentation.